[55986] in North American Network Operators' Group
Re: scripts to map IP to AS?
daemon@ATHENA.MIT.EDU (Travis Dawson)
Thu Feb 20 15:29:37 2003
From: Travis Dawson <tdawson@sprintlabs.com>
To: William Allen Simpson <wsimpson@greendragon.com>, nanog@merit.edu
Date: Thu, 20 Feb 2003 12:26:33 -0800
In-Reply-To: <3E54D37D.4617B03D@greendragon.com>
Errors-To: owner-nanog-outgoing@merit.edu
--=====================_4667080==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed
You could just rune trace from a cisco router (or do a trace from a
looking glass). It shows the AS numbers along the path. Just pick out
the last one. It also has the advantage of telling you who is really
announcing it at this time rather then who 'should' be announcing it.
Guessing a script could be written using RANCID or some code from
lookingglass quite quickly.
Tracing the route to w2.scd.yahoo.com (66.218.71.81)
1 sjc3-core5-pos6-0.atlas.algx.net (165.117.48.62) 204 msec 204 msec
200 msec
2 sjc3-yahoo.peer.algx.net (165.117.67.110) 200 msec 200 msec 4 msec
3 ge-0-0-0-p32.pat2.pao.yahoo.com (216.115.100.76) [AS 10310] 200 msec
0 msec
ge-0-0-0-p31.pat2.pao.yahoo.com (216.115.100.68) [AS 10310] 200 msec
4 vl28.bas1.scd.yahoo.com (216.115.101.42) [AS 10310] 200 msec 204
msec 200 msec
5 w2.scd.yahoo.com (66.218.71.81) [AS 26101] 0 msec 204 msec 228 msec
At 08:09 AM 2/20/2003 -0500, William Allen Simpson wrote:
Anybody have a pointer to scripts to map IP to AS?
There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets,
and I'd like to start blocking routing to those irresponsible AS's
that haven't blocked their miscreant customers.
http://isc.sans.org/port_details.html?port=1434
<http://isc.sans.org/port_details.html?port=1434>
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
-tdawson
-tdawson@sprintlabs.com
--=====================_4667080==.ALT
Content-Type: text/html; charset="us-ascii"
<html>
You could just rune trace from a cisco router (or do a trace from a
looking glass). It shows the AS numbers along the path. Just pick out the
last one. It also has the advantage of telling you who is really
announcing it at this time rather then who 'should' be announcing
it.<br>
Guessing a script could be written using RANCID or some code from
lookingglass quite quickly. <br><br>
<font face="Courier New, Courier">Tracing the route to w2.scd.yahoo.com
(66.218.71.81)<br><br>
1 sjc3-core5-pos6-0.atlas.algx.net (165.117.48.62) 204 msec 204
msec 200 msec<br>
2 sjc3-yahoo.peer.algx.net (165.117.67.110) 200 msec 200 msec 4
msec<br>
3 ge-0-0-0-p32.pat2.pao.yahoo.com (216.115.100.76) [AS 10310] 200
msec 0 msec<br>
ge-0-0-0-p31.pat2.pao.yahoo.com (216.115.100.68) [AS
10310] 200 msec<br>
4 vl28.bas1.scd.yahoo.com (216.115.101.42) [AS 10310] 200 msec 204
msec 200 msec<br>
5 w2.scd.yahoo.com (66.218.71.81) [AS 26101] 0 msec 204 msec 228
msec<br><br>
</font>At 08:09 AM 2/20/2003 -0500, William Allen Simpson
wrote:<br><br>
<blockquote type=cite class=cite cite>Anybody have a pointer to scripts
to map IP to AS? <br><br>
There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets,
<br>
and I'd like to start blocking routing to those irresponsible AS's <br>
that haven't blocked their miscreant customers.<br><br>
<a href="http://isc.sans.org/port_details.html?port=1434" eudora="autourl">http://isc.sans.org/port_details.html?port=1434</a><br>
-- <br>
William Allen Simpson<br>
Key fingerprint = 17 40 5E 67 15 6F 31 26
DD 0D B9 9B 6A 15 2C 32 </blockquote>
<x-sigsep><p></x-sigsep>
-tdawson<br>
-tdawson@sprintlabs.com</html>
--=====================_4667080==.ALT--
